Yes, agreed. What we see is simply a clever way to differentiate the customers that can pay a premium from those that can't. The end goal is to extract the maximum amount of money.

This is just flat-out untrue, OIDC or SAML plus SCIM should be the default for any enterprise-focused service provider or "you're doing it wrong". You can offer your own IDP as the default, but all of the problems that need to be solved to allow your customers to configure their own IDP are important to the design/architecture of your service and the only reason these providers are treating it as special is because they didn't build the integration between their service and their IDP correctly the first time. Provisioning and authentication are critical to security and you're actively harming your customers if you require them to use your own IDP solution in order to use your service.

I self host a bunch of apps that have SSO as enterprise feature. i want to invite my family/friends into these apps, i don't wanna spend additional 20 000$ for the SSO part, but it be real sweet if i could use it. It would eliminate so much questions like "hey.. what was my login to X?" or "can you reset my password to Y" if i could just use SSO.

Especially so if the customer is not a tech company or otherwise has IT staff that aren't uh motivated.

Add in SCIM and IT people "changing stuff to better align with our other stuff" and you just get a whole steamy barrel of fun.

Are you working for Stripe and the issue is names not syncing via SCIM perchance? In that case I’m the customer and reasonably sure it’s your fault ;)

Yep, I used to deal with this at $LastJob and amount of support burden was terrible.

Azure AD/Entra ID (Microsoft IDP) was most common and amount of IT folks who don't have a clue about it is staggering.

Companies kicking over issues to us when it's their problem. "Hey, we have a ticket saying MFA Required but account shows as Entra ID." "Send it back with contact their IT team." "Their IT team opened the ticket" rage screaming

Companies not following setup instructions. I used to provide Terraform, Powershell and Graphical setup. I can count on one hand how many people used Terraform/Powershell. This was always dicey because I got familiar with the error messages and would be "Yep, this was not setup right on their end." I had 4 phone calls with $CustomerIT swearing it was setup properly and stopped attending after that. Finally they got someone with a brain to review and finished setup.

Documentation would fall out of date because of some UI change and I'd spend a day reviewing it and updating it.

... Because the specifications are open. Practically the whole Internet is built on open specifications. The security and operations benefits are obvious for enterprise customers. Startups could also benefit greatly from it, but the cost ramping of the large providers is onerous.

I don’t think you should have to pay extra for extra security in general. Making a product or service free of security defects ought to be considered a basic requirement of merchantability.

But we should also draw a distinction between, like, real security defects (RCEs, that sort of thing) and features that might make it easier to deploy a system securely (SSO).

Out of curiosity, why GitHub as the SSO provider? Am thinking about local SSO for my homelab and was debating passkeys vs tying to Google accounts.

I once worked at a company in the Healthcare space that acquired a small company for $10 million. When the deal closed and they showed us the Patient Portal, the first thing I noticed was no HTTPS. At all. Just plain HTTP everywhere.

That's why single sign on is so great, every single vendor has their own way of implementing it.

Disclosure, I work for FusionAuth.

heya robertkoss, FusionAuth is software you can run yourself for free which is comparable to Auth0, Clerk, WorkOS. We have a community plan with unlimited SSO providers (SAML and OIDC; sorry, we don't support WS-Fed).

Here's the doc to set up an OIDC provider to Entra ID: https://fusionauth.io/docs/lifecycle/authenticate-users/iden...

We have other things we charge for (pricing here: https://fusionauth.io/pricing?step=plan ) but we don't charge per SSO connection.

Can you clarify, are you suggesting that the bills footed by large orgs that require SSO are paying the bills for these features?

> but remember that the big price-insensitive customers pay for the price-sensitive customers

The fallacy is thinking that the alternative is for everyone to pay the lower price and get the enterprise features.

In reality, without market segmentation a singular price for everyone would fall much closer to the enterprise price than the non-enterprise price.

You can call it an SSO tax, but it would be equally correct to refer to the lower price as the non-corporate discount.

I think this is overly complimentary to big business and what's essentially predatory pricing.

The reality is you can't just carve out on feature and say "we pay for this." I mean that's true of a lot of things. The big revenue generators pay for a lot of things, but how things are billed is important. Remember, not to long ago people paid for Netscape, but now its laughable to pay for a browser. Its arbitrary to have this 'buffet' mentality and seems purposely shaming towards people who rightfully complain about ridiculous pricing structures like this.

I'm also skeptical that SSO costs vendors money. Maintaining and supporting an authentication database is a huge expense. For every SSO client, its one less Adobe or whatever account that needs to be hosted. Less helpdesk tickets about password resets, etc. SSO tends to be once and done. Hosting millions of accounts and being the sign-on provider for them is not 'once and done.'

Lastly, a lot of orgs don't do this. A lot arent SOC2. That means they'll just use whatever account the vendor supplies, and most likely without MFA, but their SSO would have provided that, thus making everyone more vulnerable. This is a great example of how exec salaries and stock buybacks and other things have priority over security because security is seen as a cost-center and without litigation or law, stuff like this becomes the norm. Oh and now there's one more source of passwords out there and another potential hack.

This is just greed and predatory. Its not the wonderful largess of big companies. It fact, its quite the opposite.

Thank you for adding some sanity to this discussion – this is ultimately a matter of economics, and the R&D effort to add and maintain these features is not trivial.

Similar reason why there is a big price difference between DVDs and Blu-rays, and why DVDs still exist in the first place.

Small orgs don't need to be SOC2 to have client contracts that require SSO. This is absolute fucking evil behavior and this page shouldn't exist anymore in 2025.

I like Patio11's characterization[0]:

> The right way to think of the "SSO tax" (where companies charge extra for security features) is "You are being offered a dual use product backed by a strong engineering team for far less than it would otherwise cost, with sophisticated enterprises picking up the slack."

That said, TLS/SSL used to be the preserve of the enterprise too (or at least the ecommerce site).

There are lots of free options, including 3rd party servers and libraries. I'm hoping eventually SSO will be, if not in free versions, at least not isolated to enterprise plans.

0: https://x.com/patio11/status/1481293027331440640

But I really like checking my email without signing in to a VPN.

> SSO was by far our most expensive feature to support. It was the single largest bucket of support requests and a significant percentage of those requests required an engineer to get on a call with a customer (and their IT team).

I can confirm this is how it goes.

You can theorize about how SSO should be straightforward or self-serve, but in practice the SSO feature creates a disproportionately large support and engineering burden.

When you’re dealing with SSO support for a customer buying 100 expensive seats it can be easy to justify.

When you’re debugging the SSO for some small shop with 3 licenses who will churn suddenly the moment their lead noticed a shiny new competitor, it’s not worth it.

Sorry but that just means the feature is difficult to use on either side, so that would be at least 50% of your problem anyway. Provide good docs? How about that?

Every time someone has a problem create docs for it and after some time those questions will reduce significantly.

edit: also, for people implementing this the first time it should be obvious what happens when

1) they create a new account in your app (local)

2) if they create a new account within SSO provider

3) what happens with existing accounts during setup and if current users will be migrated over or not (or if they can use both singins)